{
    "sources": {
        "Cookies": [
            "request.cookies.get(",
            "request.COOKIES[",
            "COOKIES.get(",
            "COOKIES[",
            "cookies[",
            "request.cookie(",
            "get_cookie_values("
        ],
        "UserSecrets": [
            "get_auth_token(",
            "get_security_payload("
        ],
        "UserData": [],
        "UserControlled": [
            "Markup(",
            "mark_safe("
        ],
        "Framework_Parameter": [],
        "UserControlled_Payload": [
            "request.get_json(",
            "request.get_data(",
            "request.post(",
            "request.POST.getlist(",
            "request.POST[",
            "request.POST.get(",
            "request.post_vars[",
            "request.META[",
            "request.META.get(",
            "request.body(",
            "req.get_json(",
            "req.get_data(",
            "req.post(",
            "req.POST.getlist(",
            "req.POST[",
            "req.POST.get(",
            "req.post_vars[",
            "req.body(",
            "web.data(",
            "web.input(",
            "request.json(",
            "request.stream(",
            "request.form(",
            "q.getlist(",
            "POST.get(",
            "POST[",
            "REQUEST[",
            "request.FILES[",
            "req.FILES[",
            "request.readline(",
            "request.readlines(",
            "request.form[",
            "request.form(",
            "request.files[",
            "req.form[",
            "req.form(",
            "req.files[",
            "session.options(",
            "session.head(",
            "session.post(",
            "session.put(",
            "session.patch(",
            "session.delete(",
            "session.ws_connect(",
            "cherrypy.session[",
            "session[",
            "client.options(",
            "client.head(",
            "client.post(",
            "client.put(",
            "client.patch(",
            "client.delete(",
            "client.ws_connect(",
            "client.request(",
            "get_argument(",
            "get_arguments(",
            "get_body_argument(",
            "get_body_arguments(",
            "get_query_argument(",
            "get_query_arguments(",
            "_REQ(",
            "ws.process_request(",
            "ws.build_request(",
            "ws.check_request(",
            "ws.parse_connection(",
            "ws.parse_upgrade(",
            "ws.parse_extension(",
            "ws.parse_subprotocol(",
            "ws.parse_authorization_basic(",
            "socket.process_request(",
            "socket.build_request(",
            "socket.check_request(",
            "socket.parse_connection(",
            "socket.parse_upgrade(",
            "socket.parse_extension(",
            "socket.parse_subprotocol(",
            "socket.parse_authorization_basic(",
            "websocket.process_request(",
            "websocket.build_request(",
            "websocket.check_request(",
            "websocket.parse_connection(",
            "websocket.parse_upgrade(",
            "websocket.parse_extension(",
            "websocket.parse_subprotocol(",
            "websocket.parse_authorization_basic(",
            "websocket.receive_text(",
            "websocket.receive_bytes(",
            "websocket.receive_json(",
            "websocket.receive(",
            "connector_api.start_waiting_for_messages(",
            "start_waiting_for_messages(",
            "UploadMutation(",
            "req.stream.read(",
            "req.read(",
            "req.readline(",
            "req.readlines("
        ],
        "UserControlled_Parameter": [
            "request.args.get(",
            "request.json.get(",
            "request.query_params[",
            "request.query(",
            "request.input(",
            "request.path_params[",
            "cherrypy.request.params[",
            "request.params.get(",
            "GET.get(",
            "REQUEST.get(",
            "request.param(",
            "client.get(",
            "formdata.get(",
            "request.values.get(",
            "request.form.get(",
            "req.form.get(",
            "websocket.query_params[",
            "context.get(",
            "request.get_param(",
            "req.get_param(",
            "request.get_param_as_json(",
            "req.get_param_as_json(",
            "req.argument(",
            "request.get_vars["
        ],
        "UserSession": [
            "session.get(",
            "session.request(",
            "session_parameters["
        ],
        "UserControlled_Meta": [
            "META.get(",
            "META[",
            "request.headers[",
            "request.referrer",
            "websocket.headers[",
            "request.headers.get(",
            "request.get_header(",
            "request.header(",
            "req.header("
        ],
        "ServerSecrets": [],
        "HeaderData": [],
        "URL": [],
        "MemCache": [],
        "DataFromGET": [],
        "MaybeDataFromGET": []
    },
    "sinks": {
        "FileSystem": {
            "make_archive(": {},
            "unpack_archive(": {},
            "zipfile.ZipFile(": {},
            "ZipFile(": {},
            "gzip.GzipFile(": {},
            "GzipFile(": {},
            "tempfile.TemporaryFile(": {},
            "tempfile.NamedTemporaryFile(": {},
            "tempfile.SpooledTemporaryFile(": {},
            "tempfile.TemporaryDirectory(": {},
            "tempfile.mkstemp(": {},
            "tempfile.mkdtemp(": {},
            "TemporaryFile(": {},
            "NamedTemporaryFile(": {},
            "SpooledTemporaryFile(": {},
            "TemporaryDirectory(": {},
            "mkstemp(": {},
            "mkdtemp(": {},
            "symlink_to(": {},
            "write_bytes(": {},
            "write_text(": {},
            "Path(": {},
            "os.mkdir(": {},
            "os.makedirs(": {},
            "os.rename(": {},
            "os.rmdir(": {},
            "os.link(": {},
            "os.truncate(": {},
            "os.copy_file_range(": {},
            "os.sendfile(": {},
            "shutil.rmtree(": {},
            "shutil.copyfile(": {},
            "shutil.copymode(": {},
            "shutil.copystat(": {},
            "shutil.copy(": {},
            "shutil.copy2(": {},
            "shutil.copytree(": {},
            "shutil.move(": {},
            "shutil.chown(": {},
            "shutil.make_archive(": {},
            "rmtree(": {},
            "copyfile(": {},
            "copymode(": {},
            "copystat(": {},
            "copy2(": {},
            "copytree(": {},
            "shutil.unpack_archive(": {},
            "tarfile.TarFile.open(": {},
            "marshal.dump(": {},
            "shelve.DbfilenameShelf(": {},
            "shelve.open(": {},
            "to_csv(": {},
            "to_hdf(": {},
            "to_latex(": {},
            "to_sql(": {},
            "import_module(": {},
            "f.write(": {},
            "fp.write(": {},
            "open_file.write(": {},
            "f.writelines(": {},
            "fp.writelines(": {},
            "StataWriter.write_file(": {},
            "tf.io.write_file(": {},
            "tf.io.write_graph(": {},
            "tf.io.gfile.copy(": {},
            "tf.io.gfile.makedirs(": {},
            "tf.io.gfile.mkdir(": {},
            "tf.io.gfile.remove(": {},
            "tf.io.gfile.rename(": {},
            "tf.io.gfile.rmtree(": {},
            "tf.summary.create_file_writer(": {},
            "to_disk(": {},
            "document.save(": {},
            "FileSystemLoader(": {}
        },
        "Exfiltration": {
            "send_file(": {"sanitisers": ["'..'", "'..' in"]},
            "open(": {},
            "read_bytes(": {},
            "read_text(": {},
            "gzip.open(": {},
            "bz2.open(": {},
            "read_pickle(": {},
            "read_stata(": {},
            "read_clipboard(": {},
            "read_json(": {},
            "read_html(": {},
            "read_excel(": {},
            "send_from_directory(": {},
            "FileResponse(": {},
            "tf.io.read_file(": {},
            "from_disk(": {},
            "from_file(": {},
            "response.file(": {},
            "response.file_stream(": {}
        },
        "GetAttr": {

        },
        "Logging": {
            "log.debug(": {"sanitisers": ["sanitize"]},
            "log.info(": {"sanitisers": ["sanitize"]},
            "log.warning(": {"sanitisers": ["sanitize"]},
            "log.error(": {"sanitisers": ["sanitize"]},
            "log.exception(": {"sanitisers": ["sanitize"]},
            "log.critical(": {"sanitisers": ["sanitize"]},
            "logger.debug(": {"sanitisers": ["sanitize"]},
            "logger.info(": {"sanitisers": ["sanitize"]},
            "logger.warning(": {"sanitisers": ["sanitize"]},
            "logger.error(": {"sanitisers": ["sanitize"]},
            "logger.exception(": {"sanitisers": ["sanitize"]},
            "LOG.debug(": {"sanitisers": ["sanitize"]},
            "LOG.info(": {"sanitisers": ["sanitize"]},
            "LOG.warning(": {"sanitisers": ["sanitize"]},
            "LOG.error(": {"sanitisers": ["sanitize"]},
            "LOG.exception(": {"sanitisers": ["sanitize"]},
            "log.critical(": {"sanitisers": ["sanitize"]},
            "log(": {"sanitisers": ["sanitize"]},
            "print(": {"sanitisers": ["sanitize"]},
            "log_error(": {"sanitisers": ["sanitize"]},
            "log_info(": {"sanitisers": ["sanitize"]}
        },
        "Redirect": {
            "send_redirect(": {},
            "redirect(": {},
            "request.redirect(": {},
            "request.redirect_intended(": {},
            "RedirectResponse(": {},
            "HTTPPermanentRedirect(": {},
            "HTTPTemporaryRedirect(": {},
            "HTTPSeeOther(": {},
            "HTTPMovedPermanently(": {},
            "HTTPFound(": {}
        },
        "RemoteCodeExecution": {
            "os.execl(": {},
            "os.execle(": {},
            "os.execlp(": {},
            "os.execlpe(": {},
            "os.execv(": {},
            "os.execve(": {},
            "os.execvp(": {},
            "os.execvpe(": {},
            "os.popen(": {},
            "os.popen2(": {},
            "os.popen3(": {},
            "os.popen4(": {},
            "os.spawnl(": {},
            "os.spawnle(": {},
            "os.spawnlp(": {},
            "os.spawnlpe(": {},
            "os.spawnv(": {},
            "os.spawnve(": {},
            "os.spawnvp(": {},
            "os.spawnvpe(": {},
            "os.startfile(": {},
            "os.system(": {},
            "os.open(": {},
            "os.walk(": {},
            "os.chown(": {},
            "os.lchown(": {},
            "os.access(": {},
            "os.chflags(": {},
            "os.lchflags(": {},
            "os.utime(": {},
            "os.chdir(": {},
            "os.chroot(": {},
            "os.putenv(": {},
            "os.unsetenv(": {},
            "os.remove(": {},
            "os.removedirs(": {},
            "os.renames(": {},
            "os.replace(": {},
            "os.unlink(": {},
            "os.fwalk(": {},
            "os.setxattr(": {},
            "shelve.open(": {},
            "commands.getoutput(": {},
            "commands.getstatusoutput(": {},
            "eval(": {},
            "exec(": {},
            "popen2.Popen3(": {},
            "popen2.Popen4(": {},
            "popen2.popen2(": {},
            "popen2.popen3(": {},
            "popen2.popen4(": {},
            "subprocess.Popen(": {},
            "subprocess.call(": {},
            "subprocess.check_call(": {},
            "subprocess.check_output(": {},
            "subprocess.run(": {},
            "subprocess.getstatusoutput(": {},
            "subprocess.getoutput(": {},
            "subprocess.create_subprocess_exec(": {},
            "subprocess.create_subprocess_shell(": {},
            "tf.io.decode_and_crop_jpeg(": {},
            "tf.io.decode_bmp(": {},
            "tf.io.decode_compressed(": {},
            "tf.io.decode_csv(": {},
            "tf.io.decode_gif(": {},
            "tf.io.decode_image(": {},
            "tf.io.decode_png(": {},
            "tf.io.decode_jpeg(": {},
            "rpc_sync(": {},
            "rpc_async(": {},
            "rpc.remote(": {},
            "mp.Process(": {},
            "linker.instantiate(": {}
        },
        "RequestSend": {
            "urllib.request.urlretrieve(": {},
            "request.urlretrieve(": {},
            "session.prepare_request(": {},
            "session.send(": {},
            "urlretrieve(": {},
            "urlopen(": {},
            "open_unknown(": {},
            "set_tunnel(": {},
            "putrequest(": {},
            "putheader(": {},
            "create_connection(": {},
            "socket.connect(": {},
            "socket.connect_ex(": {},
            "socket.send(": {},
            "socket.ping(": {},
            "socket.sendall(": {},
            "socket.setopt(": {},
            "ws.retrieve(": {},
            "ws.send(": {},
            "ws.ping(": {},
            "ws.sendall(": {},
            "ws.setopt(": {},
            "kore.httpclient(": {}
        },
        "MailSend": {
            "send_mail(": {}
        },
        "ReturnedToUser": {
            "flash(": {},
            "jsonify(": {},
            "response(": {},
            "render(": {},
            "render_template(": {},
            "render_to_response(": {},
            "render_body(": {},
            "response.write(": {},
            "HttpResponse(": {},
            "HttpResponse(memoryview(": {},
            "JsonResponse(": {},
            "JSONResponse(": {},
            "PlainTextResponse(": {},
            "build_response(": {},
            "prepare_data(": {},
            "encode_data(": {},
            "form.add_error(": {},
            "websocket.send(": {},
            "websocket.send_text(": {},
            "websocket.send_bytes(": {},
            "websocket.send_json(": {},
            "stream_with_context(": {},
            "set_stream(": {},
            "Response(": {},
            "Response(stream_with_context(": {},
            "UJSONResponse(": {},
            "StreamingResponse(": {},
            "HTMLResponse(": {},
            "TemplateResponse(": {},
            "OpenAPIResponse(": {},
            "request.send_push_promise(": {},
            "connector_api.send_message(": {},
            "send_message(": {},
            "connector_api.publish_message(": {},
            "publish_message(": {},
            "manager.send_personal_message(": {},
            "manager.broadcast(": {},
            "response.json(": {},
            "response.text(": {},
            "response.stream(": {},
            "response.raw(": {},
            "as_p(": {},
            "as_ul(": {},
            "as_table(": {},
            "as_hidden(": {},
            "as_widget(": {},
            "messages.add_message(": {}
        },
        "ResponseHeaderName": {
            "set_header(": {},
            "add_header(": {}
        },
        "ResponseHeaderValue": {
            "set_cookie(": {},
            "setCookie(": {},
            "set_data(": {},
            "set_headers(": {},
            "resp.headers[": {},
            "response.headers[": {},
            "req.response_header(": {},
            "append_header(": {},
            "SimpleCookie(": {}
        },
        "SQL": {
            "cursor.execute(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "curA.execute(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "curB.execute(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "cursor.executemany(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "cursor.executescript(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "executemany(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "executescript(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "run_callable(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "scalar(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "database.execute(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "engine.execute(": {"sanitisers": ["bindparams"], "unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "database.fetch_all(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "database.fetch_one(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "database.iterate(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "database.execute_many(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "read_sql(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "read_sql_query(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "read_sql_table(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "DBSession.query(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "objects.raw(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}}
        },
        "NoSQL": {
            "client.CreateDatabase(": {},
            "client.CreateContainer(": {},
            "client.CreateItem(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "client.ReadItem(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "client.ReadItems(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "client.QueryItems(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "client.QueryItemsChangeFeed(": {},
            "client.QueryContainers(": {},
            "client.QueryDatabases(": {},
            "client.ReadContainer(": {},
            "client.ReadContainers(": {},
            "client.ReadDatabase(": {},
            "client.ReadDatabases(": {},
            "client.ReplaceContainer(": {},
            "client.QueryOffers(": {},
            "client.DeleteContainer(": {},
            "client.DeleteDatabase(": {},
            "client.DeleteContainer(": {},
            "insert_one(": {},
            "insert_many(": {},
            "db.command(": {},
            "map_reduce(": {},
            "db.create_collection(": {},
            "collection.find(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "find(query)": {},
            "create_index(": {},
            "update_many(": {},
            "client.admin.command(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "client.drop_database(": {},
            "db.get_collection(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "count_documents(": {"unlisted_args_propagate": false, "arg_dict": {"text": 0}},
            "bulk_write(": {},
            "with_options(codec_options=CodecOptions(": {},
            "fs.put(": {},
            "fs.get(": {},
            "client.get_database(": {},
            "bucket.get(": {},
            "HDFStore.put(": {},
            "HDFStore.append(": {},
            "HDFStore.get(": {},
            "HDFStore.select(": {}
        },
        "BigData": {
            "read_gbq(": {},
            "read_table(": {},
            "read_fwf(": {},
            "read_hdf(": {},
            "read_parquet(": {},
            "read_feather(": {},
            "read_orc(": {},
            "read_spss(": {},
            "HDFStore.walk(": {}
        },
        "GraphQL": {
            "schema.execute(": {},
            "schema.execute_async(": {}
        },
        "XMLParser": {
            "parser.from_string(": {},
            "xml.from_string(": {},
            "xml.parse(": {},
            "etree.parse(": {},
            "ET.parse(": {},
            "xml.iterparse(": {},
            "XML(": {},
            "XMLParser.feed(": {},
            "xml.fromstring(": {},
            "ET.fromstring(": {},
            "parser.fromstring(": {},
            "ET.fromstringlist(": {},
            "parser.fromstringlist(": {},
            "parser.feed(": {},
            "ET.XMLPullParser([": {},
            "ExcelFile.parse(": {},
            "Document(": {},
            "document.add_heading(": {},
            "document.add_paragraph(": {},
            "document.add_picture(": {}
        },
        "XSS": {
            "do_mark_safe(": {},
            "markdown(": {},
            "markdownFromFile(": {},
            "html.replace(": {"sanitisers": ["escape"]},
            "quoteattr(": {},
            "format_html_join(": {},
            "render_template_string(": {"sanitisers": ["escape"]},
            "make_response(": {"sanitisers": ["escape"]}
        },
        "MemcacheSink": {
            "set_many(": {}
        },
        "DataStorage": {

        },
        "ServerSideTemplateInjection": {
            "Jinja2.from_string(": {},
            "Environment(loader=BaseLoader).from_string(": {},
            "compile_expression(": {}
        },
        "Deserialization": {
            "msgpack.unpackb(": {},
            "tf.io.decode_proto(": {},
            "tf.io.decode_raw(": {},
            "pickle.loads(": {},
            "pickle.Unpickler(": {},
            "pickle.load(": {},
            "yaml.load(": {},
            "pickle.Unpickler(": {},
            "marshal.load(": {},
            "yaml.load_all(": {},
            "Module.from_file(": {}
        },
        "PrivateRef": {
            "objects.get(pk=": {}
        }
    }
}
